The incidence of worm, virus and Trojan attacks on the internet have been on a sharp rise lately, and enterprises are feeling a non-trivial cost due to these attacks. Even if an enterprise is never directly infected by such an attack, this cost manifests itself in the continuous vigilance required to stay abreast of the attackers, such as by:                Continuously applying patches to workstations.        Keeping virus definition files up to date.        Real-time scanning modified files.        Scanning incoming web content and email attachments.        Loss of productivity due to security measures or protocols, such as blocked web content or email attachments.        
As enterprises are continuously trying to maintain the balance between productivity and security, they are in a continuous tradeoff situation, where on the security side there is a constant push to limit the scope of the communications pathways into the enterprise, whereas on the productivity side it is desirable to allow staff access to internet content and unhindered collaboration with their colleagues.
Should an enterprise suffer infection through these attacks, the cost it incurs, and the damage it can suffer ranges widely, depending on the scale of the infection and the actions of the malware. This cost can include:                IT cost in updating virus definition files and scheduling scans, or manually eliminating the infection, workstation by workstation.        Operational crippling, when critical infrastructure such as email servers goes offline due to overload, or staff workstations have to be taken offline pending disinfection.        Financially damaging, such as when sensitive content is disclosed to the attacker or the world at large.        
Currently, enterprises maintain security using a variety of methodologies, including anti-virus (AV) scanners, behavior analysis systems, restricted computing environments, and intrusion detection systems. However the current methods used to maintain enterprise security suffer from a variety of problems make them less than ideal solutions for effectively protecting an enterprise from malware.
By far the most serious problem with AV products is their inability to protect against unknown viruses. This allows new viruses a time window for rapid spreading and destruction, before AV software can be adapted and client hosts updated to test for their existence and stop the spreading.
The inability of AV products of protecting against unknown viruses creates the need for continuously updating the AV patterns files and software. This puts a strain on IT resources, network resources and computing hardware.
Furthermore, in order to maintain sufficient vigilance, most AV products provide real-time scanning, which scans all files when they're opened, and upon modification. While this has security benefits, it also has the downside of serious performance degradation.
Behavior analysis systems look at the behavior of content to determine whether the content is malicious or benign. These systems typically execute the content, either in a sandbox of some sort or under interpretation and monitor the actions it performs. Any content that performs actions which can be construed as malicious, such as modifying system configuration, modifying or replacing system or application executables, and so on, will be classified as malicious and most likely denied entry to the enterprise network.
However, these types of systems suffer from the major shortcoming that they exhibit a high percentage of both false positives and false negatives. As an example, system updates and application installers would surely classify as malicious, while, say an ActiveX control that performed malicious activity only after having been used a number of times, or for a long period of time, might evade the malicious classification.
Restricted computing environments place restrictions on the computing environment of staff within an enterprise by limiting the content that can be accessed. Access to the world wide web is often limited, whether in the set of web sites available, or in the type of content allowed. Limitations are placed on email access, most frequently in the type and size of emails and attachments allowed. General limitations are placed on access to other internet services and applications, such as Instant Messaging, file sharing services and the like. Further limitations can be placed on where documents can be saved, and quotas on the amount of storage available to users.
These restrictions can have the major shortfall of curtailing the productivity by limiting the range of activities available to users. These measures are also not failsafe, since the type of content allowed through filters often must include such things as office documents, portable document files (pdfs) and the like. This coupled with the fact that viruses can propagate through many document types, plus the fact that the applications handling the documents are also prone to vulnerabilities that can be exploited through malformed content, makes those measures not very effective.
Intrusion detection systems typically have a focus on trying to detect intrusions that have already occurred, or intrusions in progress. These types of systems may suffer from false positives, and also may have very little potential for prevention. Because these systems depend on monitoring activity on the network to infer whether an intrusion is in progress, they may interpret many sorts of unusual activity as a potential intrusion. As a case in point, monitoring email activity with a trigger on the amount of traffic generated might be triggered if a particularly important memo or good joke starts making the rounds on the enterprise network.
However, intrusion detection systems have very little prevention potential. While it is useful to receive notification of an intrusion, the fact is that once an intrusion has occurred, much of the damage has already been done. Once a viral or worm infection has taken hold, there's no way around the fact that the infection will have damaged system files and configuration, and that there is a cost to undoing this damage.
It is accordingly a primary object of the invention to allow enterprise users unfettered access to external, potentially malicious content, such as web pages, externally originated email and email attachments, while protecting the enterprise from malicious attacks by this same content.
This is achieved by the novel method of transparent isolation, which identifies the origin of the content, and persistently tags external content with its origin. Such external content can then be executed in an isolated environment, which mediates access to all resources on the local host, and to the resources and content exposed on the internal enterprise network.